Bug 969463

Thanks for your bug report, I'd like to ask about more details to allow me to investigate.

Fresh f19 install or upgrade from earlier version?

Using Firefox or another browser? Did you try more than one browser?

Ok, subject says firefox.

Can you please paste the output of the command below?

$ rpm -qa firefox\* nss\* nspr\* ca-certificate\* p11-kit\*

Please also provide output of two additional commands:

$ ls -l /etc/alternatives/libnssckbi.*

$ ls -l /etc/pki/ca-trust/source/anchors/ /etc/pki/ca-trust/source/ /etc/pki/ca-trust/source/blacklist/ /usr/share/pki/ca-trust-source/ /usr/share/pki/ca-trust-source/anchors/ /usr/share/pki/ca-trust-source/blacklist/ /etc/pki/tls/ /etc/ssl/certs/

Thanks

I wonder if this related to bug 960230, where users report, that CAs become untrusted after suspend/resume.

Or it could be some SELinux or sandboxing problem. Dan are you running Firefox in some kind of sandbox or with SELinux confinement?

Note that firefox (NSS) now needs to read the /etc/pki/ca-trust directories, that is cert_t domain.

Or is that unmodified default setup?

> Note that firefox (NSS) now needs to read the /etc/pki/ca-trust directories,
> that is cert_t domain.

Also /usr/share/pki/ca-trust-source/ which contains the default trust list.

rpm -qa firefox\* nss\* nspr\* ca-certificate\* p11-kit\*
p11-kit-trust-0.18.2-1.fc19.x86_64
nss-util-3.14.3-1.fc19.x86_64
p11-kit-0.18.2-1.fc19.x86_64
nss-3.14.3-13.0.fc19.x86_64
ca-certificates-2012.87-10.2.fc19.noarch
nspr-4.9.6-1.fc19.x86_64
nss-softokn-3.14.3-1.fc19.x86_64
nss-tools-3.14.3-13.0.fc19.x86_64
p11-kit-devel-0.18.2-1.fc19.x86_64
firefox-21.0-3.fc19.x86_64
nss-softokn-freebl-3.14.3-1.fc19.x86_64
nss-sysinit-3.14.3-13.0.fc19.x86_64

ls -l /etc/alternatives/libnssckbi.*
lrwxrwxrwx. 1 root root 34 May 16 09:20 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so

ls -l /etc/pki/ca-trust/source/anchors/ /etc/pki/ca-trust/source/ /etc/pki/ca-trust/source/blacklist/ /usr/share/pki/ca-trust-source/ /usr/share/pki/ca-trust-source/anchors/ /usr/share/pki/ca-trust-source/blacklist/ /etc/pki/tls/ /etc/ssl/certs/
/etc/pki/ca-trust/source/:
total 12
drwxr-xr-x. 2 root root 4096 May 27 09:36 anchors
drwxr-xr-x. 2 root root 4096 May 27 09:36 blacklist
-rw-r--r--. 1 root root 3920 May 27 09:33 README

/etc/pki/ca-trust/source/anchors/:
total 0

/etc/pki/ca-trust/source/blacklist/:
total 0

/etc/pki/tls/:
total 24
lrwxrwxrwx. 1 root root    49 May 28 08:18 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x. 2 root root  4096 May 28 08:18 certs
drwxr-xr-x. 2 root root  4096 Mar 19 13:38 misc
-rw-r--r--. 1 root root 10906 Mar 18 16:56 openssl.cnf
drwxr-xr-x. 2 root root  4096 Mar 18 17:02 private

/etc/ssl/certs/:
total 1472
lrwxrwxrwx. 1 root root     49 May 28 08:18 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-rw-r--r--. 1 root root 704495 Jul 23  2012 ca-bundle.crt.rpmsave
lrwxrwxrwx. 1 root root     55 May 28 08:18 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 787088 Jul 23  2012 ca-bundle.trust.crt.rpmsave
-rwxr-xr-x. 1 root root    610 Mar 18 17:03 make-dummy-cert
-rw-r--r--. 1 root root   2242 Mar 18 17:03 Makefile
-rwxr-xr-x. 1 root root    829 Mar 18 17:03 renew-dummy-cert

/usr/share/pki/ca-trust-source/:
total 916
drwxr-xr-x. 2 root root   4096 May 27 09:36 anchors
drwxr-xr-x. 2 root root   4096 May 27 09:36 blacklist
-rw-r--r--. 1 root root   4940 May 27 09:33 ca-bundle.neutral-trust.crt
-rw-r--r--. 1 root root   2117 May 27 09:33 ca-bundle.supplement.p11-kit
-rw-r--r--. 1 root root 912138 May 27 09:33 ca-bundle.trust.crt
-rw-r--r--. 1 root root   3961 May 27 09:33 README

/usr/share/pki/ca-trust-source/anchors/:
total 0

/usr/share/pki/ca-trust-source/blacklist/:
total 0

Both machines were installed with F18 and updated to F19.

I don't think it is SELinux related.  How can I blow away the ones I said to trust to see if it is an SELinux issue.  My process seesm to be allowed to read the /usr/share/pki/ca-trust-source.

The information in comment 7 looks as expected. I have the same packages and files on my F19 VM, which has selinux enabled. In that VM, I can use firefox to connect to google sites and facebook, no warnings in firefox.


What does this say:

# ls -l /etc/pki/ca-trust/extracted/openssl/

It should contain a file with about the following size:
-r--r--r--. 1 root root 296995 May 31 09:38 ca-bundle.trust.crt

That file is dynamically used by 
 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
to provide the list of trusted root certs for NSS in Firefox.

If that file were missing, it could be created/updated by running (as root):
# update-ca-trust
and restart firefox,


(In reply to Daniel Walsh from comment #7)
> 
> How can I blow away the ones I said to
> trust to see if it is an SELinux issue.


Do you mean, how you could delete the overrides that you had added in Firefox?

To delete them, use:
- menu edit/preferences/advanced/encryption/view certificates
- click the "servers tab"

That UI isn't the best, the display includes things that you cannot delete. However, ignore the entries with a * in the second column. All other entries are your overrides that you could delete.

While you're at it, in this same certificate manager window, click the "Authorities" tab.

Scroll down to Verisign. You should see several entries that have "default trust" in the second column. Can you confirm?

> While you're at it, in this same certificate manager window, click the
> "Authorities" tab.
> 
> Scroll down to Verisign. You should see several entries that have "default
> trust" in the second column. Can you confirm?

Most entries in that list should be marked as trusted already. Click a few of them, one after the other, and click the "edit trust" button for each of them. the window that opens should have the first item checked, for many of them.

I currently have no real idea what might be broken on your system.

One idea is to visit sites that use certs from different CAs, in the hope that only some CAs are not trusted on your system:

Do you get an error for each of the following links?

- https://startssl.com/ (startcom)
- https://www.paypal.com/ (verisign)
- https://bugzilla.redhat.com (geotrust)
- https://code.google.com/ (equifax)
- https://mobile2025.cybertrust.ne.jp/ (cybertrust)

If some work, then maybe there have been changes made to the trust settings in your firefox profile.

If none of them work, then we have a general problem. Maybe your firefox doesn't load the libnssckbi.so module (it's not a link time dependency, it's dynamically loaded).

$ strace -f firefox 2>&1 |egrep "nssckbi|p11-kit"

should print:

[pid 18825] open("/lib64/libnssckbi.so", O_RDONLY|O_CLOEXEC) = 43
[pid 18825] stat("/usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit", {st_mode=S_IFREG|0644, st_size=2117, ...}) = 0
[pid 18825] open("/usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit", O_RDONLY) = 44


$ ls -l /lib64/libnssckbi.so 

should print:

lrwxrwxrwx. 1 root root 38 May 27 08:43 /lib64/libnssckbi.so -> /etc/alternatives/libnssckbi.so.x86_64

I have asked for a lot of tests, and I'm interested in the results of the above.

However, here is one more test, which can be used to test Firefox with default settings:

- firefox -no-remote -CreateProfile test
- firefox -no-remote -P test

Try to load pages in this default firefox. If it works, then your old profile is messed up. If it is, I'd be interested to analyze it.

Coming over from bug #960230 since I'm seeing this without suspend on Firefox, Thunderbird, Chrome and Evolution.  Happens to me once or twice a day.  Restarting any of these apps fixes it for that app.

What would you like me to do when it happens again?

Also in my case SELinux is disabled (since some proprietary stuff I need to run for HP is difficult to run with SELinux)

Dan, do you by chance have Google Chrome installed?  We were discussing this issue in the other bug and we think that might be related to this.

export P11_KIT_DEBUG=all
firefox -no-remote > log 2>&1

Load a page that gives you the errors.

Afterwards, please look at the logfile (or send it to me).
Does it talk about errors?

I also have this problem on both my F19 machines: after a variable runtime (between 15 minutes and 24 hours), the certificate errors start to appear everywhere, and restarting Firefox solves it.

I don't have Chrome installed on either machine, but I have Chromium on one. SELinux is enabled on both machines.

(In reply to Kai Engert (:kaie) from comment #15)
> export P11_KIT_DEBUG=all
> firefox -no-remote > log 2>&1
> 
> Load a page that gives you the errors.
> 
> Afterwards, please look at the logfile (or send it to me).
> Does it talk about errors?

Dan, could you please provide this information? Doing so would allow us to identify if this is a duplicate of bug #969463.

> Doing so would allow us to
> identify if this is a duplicate of bug #969463.

Stef means "duplicate of bug 960230".

I believe everyone having reported intermittent failures is likely to be affected by bug 960230.

The remaining issue is: Are there situations where it breaks immediately?

Stef, I propose to provide to prepare an RPM build with the fix for bug 960230 and ask everyone to install it. Maybe it will solve Dan's problem already.

Could you test this update, and post positive karma if it fixes the issue?

https://admin.fedoraproject.org/updates/p11-kit-0.18.3-1.fc19

It fixes other (minor) things as well, so no need to leave negative karma unless it breaks.

Thank you.

Sorry just back from the Summit.  I have the p11-kit installed and have not noticed the problem recently.

I am on Rawhide now.

rpm -q p11-kit
p11-kit-0.18.3-1.fc20.x86_64
 rpm -q firefox
firefox-21.0-3.fc19.x86_64

Thanks Dan. Closing as a duplicate.

*** This bug has been marked as a duplicate of bug 960230 ***